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New  Threats  to  Cyber-Security 


•  Usual  view  of  threat  environment 

•  Looking  backwards  from  today’s  threats 

•  Looking  forwards  to  future  threats 

•  The  need  for  prevention  is  pressing 
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Usual  view  of  threat  environment 


47%  of  US  adults 
had  their 
personal 
information 
exposed  by 
hackers 


90%  of  US  businesses  report  being  bached 
59%  report  being  hacked  more  than  once 


TOTAL  MALWARE 


Nearly  250,000 
malware 
artifacts  by 
1Q14 


EARNMGS 

Target  Earnings  Slide  46%  After  Data  Breach 

Q  Email  ^  Print  ^  6  Comments  Q  A  A 


PARTICLE  FREE  PASS 

Enjoy  your  (roe  sample  of  exclusive  subscriber  content 


$12  for  12  Weeks  subscribe  now 


By  PAUL  2I0BR0  connect 


Sources:  Poneman  Institute,  CNNMoney  study,  May  28,  2014;  McAfee  Quarterly  Threat  Report,  June  2014;  Wall  Street  Journal,  Feb  26,  2014 


retailcustomerexperience.com  -  5_lessons_learned_from_recent_retail_data_breaches.pdf 


Software  Engineering  Institute 


Carnegie  Mel  lon  University 


Mark  Sherman 

S5:  New  Threats  to  Cyber-Security 

©2014  Carnegie  Mellon  University 


4 


Looking  backwards  from  today’s  threats 


92%  of  the  100,000  incidents  from 
the  last  1 0  years  can  be  described 
by  9  basic  patterns 

•  Insider  misuse 

•  DOS  attacks 

•  Cyber-espionage 

•  Crimeware 

•  Web  app  attacks 

•  Physical  theft  and  loss 

•  Payment  card  skimmers 

•  Point-of-sale  intrusions 

•  Miscellaneous  errors 
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Looking  forwards  to  future  threats 

Cyber  threats  track  evolution  of  technology 


•  Software  is  the  new  hardware 

•  Covering  the  next  last  mile 

•  Expanding  endpoints 

•  Development  is  now  assembly 
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Software  is  the  new  hardware 


IT  moving  from  specialized 

Cyber-physical  systems  (CPS) 

hardware  to  software,  virtualized 

evolving  to  a  computer  with 

as 

interesting  peripherals 

Memory 

Airplane  function  in  software 

Storage 

Servers 

moved  from  8%  to  80%  since 
1960 

Switches 

•  Software  defined  radios  drive 
communication 

Networks 

•  Television  evolved  to  digital 
signal  processors 

•  Hardware  security  needs  software  analogs 
•  New  programming  models  need  secure  coding  guidelines 
•  Guard  against  side  channel  attacks  enabled  by  virtualization 
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Covering  the  next  last  mile  -  securing  the 

border  and  end  points  The  last  mile  has  expanded  to 


Cellular 

•  Main  processor 

•  Base  band  processor 

•  Secure  element  (SIM) 

Automotive 

•  Intravehicular:  more  than  50  networked  processors 

•  Vehicle  to  infrastructure  (V2I):  congestion 
management,  emergency  services,  law 
enforcement 

•  Vehicle  to  vehicle  (V2):  safety,  efficiency 

Industrial  and  home  automation 

•  SCADA 

•  Bluetooth 

•  Zigbee 

Aviation 

•  Fly  by  wire 

•  Next  Gen  air  traffic  control 

Smart  grid 

Embedded  medical  devices 
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Development  is  now  assembly 


Mongo  DB 


HTTP 

server 


XML 

Parser 


Business 

application 


Application 

server 


MySQL 

database 


GIF  library 


Servlet 

container 


At  least  75%  of  organizations  rely  on  open 
source  as  the  foundation  of  their 
applications 
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Open  source  supply  chain  is  vulnerable 


•  Security  skills  haphazard  among  developers 

•  No  providence  of  code 

•  No  process  for  updates 

— ^Transitive  vulnerabilities  from  open  source 
dependencies 
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An  ounce  of  prevention  is  worth  a  pound  of 
cure 


“We  wouldn't  have  to  spend  so  much  time, 
money,  and  effort  on  network  security  if  we 
didn't  have  such  bad  software  security.” 


Bruce  Schneier  in  Viega  and  McGraw, 
“Building  Secure  Software,”  2001 
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The  need  for  prevention  is  pressing 

Sustainment 


19%  fail  to  carry  out  27%  do  not  practice  30%  do  not  use  static  47%  do  not  perform 

security  requirement  secure  design  analysis  or  manual  code  acceptance  tests  for  third- 

definition  review  during  development  party  code 


Mission  thread 

(Business  process)  Threat 
Analysis 

* . I 


Coding 

:  Testing, 

Monitoring 

Breach 

Rules  and 

:  Validation 

Awareness 

Guidelines 

|  and 

Verification 

Abuse  |  Architecture 

Cases  |  and  Design 

■  Principles 


Requirements  and  Acquisition 

. 


Deployment  and  Operations 


More  than  81%  do  not  coordinate  their  security  practices 
in  various  stages  of  the  development  life  cycle. 

Source:  Forrester  Consulting,  “State  of  Application  Security,”  January  201 1 _ 
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Foresight  leads  to  proactive  defense 


Tracking  evolution  of 
technology  arms  developers 
for  securing  the  next 
generation  of  applications 
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Contact  Information 


Mark  Sherman 

(412)268-9223 

mssherman@sei.cmu.edu 


Web  Resources  (CERT/SEI) 

http://www.cert.org/ 

http://www.sei.cmu.edu/ 
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